Essentially you could get away with at minimum ports 22 (ssh), 25 (smtp) and 443 (https). You might want to open up the admin port but you could simply SSH into the box and forward the port when you need it. You may also want to open up ports for IMAP, POP3 and MAPI if you use them.

The new Zimbra Appliance comes with UFW enabled by default and you don't get a much simpler firewall than that.